Customers will only use cloud providers in which they have great trust. They must trust that the privacy of their information will be protected, and that their data will be used in a way that is consistent with their expectations.
We build privacy protections into Azure through Privacy by Design, a program which describes how we build and operate products and services to protect privacy. Standards and processes that support Privacy by Design principles include the Microsoft Online Services Privacy Statement (which details Microsoft’s core privacy requirements and practices) and the Microsoft Secure Development Lifecycle (which includes addressing privacy requirements). We then back those protections with strong contractual commitments to safeguard customer data, including offering EU Model Clauses (which provides terms covering the processing of personal information), and complying with international standards. Microsoft uses customer data stored in Azure only to provide the service, including purposes compatible with providing the service. Azure does not use customer data for advertising or similar commercial purposes.
Contractual commitments. Microsoft was the first major cloud service provider to make contractual privacy commitments that help assure the privacy protections built into in-scope Azure services are strong. Among the many commitments that
Microsoft supports are:
- EU Model Clauses. EU data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA). Microsoft offers customers the EU Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data for in-scope services. Europe’s privacy regulators have determined that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data. Microsoft is the first cloud provider to receive this recognition.
- US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Program. Microsoft abides by these frameworks set forth by the US Department of Commerce regarding the collection, use, and retention of data from the EEA and Switzerland.
- ISO/IEC 27018. Microsoft is the first major cloud provider to adopt the first international code of practice for cloud privacy. ISO/IEC 27018 was developed to establish a uniform, international approach to protecting the privacy of personal data stored in the cloud. The British Standards Institution independently verified that Microsoft Azure is aligned with the guideline’s code of practice. ISO 27018 controls include a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent.
Restricted access by Microsoft personnel. Access to customer data by Microsoft personnel is restricted. Customer data is only accessed when necessary to support the customer’s use of Azure. This may include troubleshooting aimed at preventing, detecting, or repairing problems affecting the operation of Azure and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam). When granted, access is controlled and logged. Strong authentication, including the use of multifactor authentication, helps limit access to authorized personnel only. Access is revoked as soon as it is no longer needed.
Notification of lawful requests for information. Microsoft believes that customers should control their data whether stored on their premises or in a cloud service. We will not disclose Azure customer data to law enforcement except as a customer directs or where required by law. When governments make a lawful demand for Azure customer data from Microsoft, we strive to be principled, limited in what we disclose, and committed to transparency.
- Microsoft does not provide any third party with direct or unfettered access to customer data. Microsoft only releases specific data mandated by the relevant legal demand.
- If a government wants customer data—including for national security purposes—it needs to follow the applicable legal process, meaning it must serve us with a warrant or court order for content or subpoena for account information. If compelled to disclose customer data, we will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. Microsoft will only respond to requests for specific accounts and identifiers. There is no blanket or indiscriminate access to Microsoft’s customer data. Every request is explicitly reviewed by Microsoft’s legal team, who ensures that the requests are valid, rejects those that are not, and makes sure we only provide the data specified in the order.
In its commitment to transparency, Microsoft regularly publishes a Law Enforcement
Requests Report that discloses the scope and number of requests we receive.
Greater transparency and simplicity of data use policies.
Microsoft keeps customers informed about the processes to protect data privacy and security, including practices and policies. Microsoft also provides the summaries of independent audits of services, which helps customers pursue their own compliance.